Nearly 20 U.S. States Do Not Audit Election Results by Checking Paper Ballots Against Machine Counts or Lack a Paper Ballot to Conduct Effective Audits

WASHINGTON, D.C. – Wisconsin’s action last week requiring a post-election audit will help secure the November vote and should be followed by states that lack such protections, according to Public Citizen and Verified Voting.

On Tuesday, the Wisconsin Election Commission (WEC) took a key step to secure the vote by requiring an audit of November’s election results before they are made official. The commission voted to randomly select five percent of voting machines in the state to be audited the day after the 2018 general election. For the audit, municipal clerks will hand count ballots from randomly selected machines, comparing what’s on the paper ballot to what the machine recorded. They will do this across four races before the vote count is finalized. (See WEC meeting minutes pages 34 and 49.)

Wisconsin’s action shows that it’s not too late to commit to auditing the 2018 vote counts before finalizing results, Public Citizen and Verified Voting said. Votes can – and should – be checked against voter-marked paper ballots for accuracy.

Written Testimony of Verified Voting President Marian K. Schneider before the Pennsylvania Senate State Government Committee Public Hearing on Senate Bill 1249 and Voting Machine Demonstration, September 25, 2018. Download as PDF.

Thank you Chairman Folmer, Minority Chair Williams, and members of the Committee for allowing Verified Voting to submit written testimony in connection with the Senate State Government Committee hearing. We write to address the security risks presented for Pennsylvania’s counties and the need to expeditiously replace aging and vulnerable electronic voting systems. We urge the Committee to recommend that the Commonwealth appropriate adequate funding to permit counties to replace their aging electronic voting systems as soon as possible.

Verified Voting is a national non-partisan, non-profit research and advocacy organization committed to safeguarding elections in the digital age. Founded by computer scientists, Verified Voting’s mission is to advocate for the responsible use of emerging technologies to ensure that Americans can be confident their votes will be cast as intended and counted as cast. We promote auditable, accessible and resilient voting for all eligible citizens. Our board of directors and board of advisors include some of the top computer scientists, cyber security experts and statisticians working in the election administration arena as well as former and current elections officials. Verified Voting has no financial interest in the type of equipment used. Our goal is for every jurisdiction in the United States to have secure and verifiable elections.

There are two basic kinds of electronic voting systems in use in Pennsylvania: Direct recording electronic (DRE) or optical scan systems. Both types of systems are computers, and both are prepared in similar ways. The primary difference is that an optical scan system incorporates a voter-marked paper ballot, marked either with a pen or pencil or with a ballot marking device and that ballot is retained for recounts or audits. Optical scan systems leverage the speed of the computer to report unofficial results quickly. The presence and availability of that paper ballot provides a trustworthy record of voter intent and allows jurisdictions to monitor their system for problems, detect any problems, (either hacking or error), respond to them and recover by, if necessary, hand counting the paper ballots. Seventeen counties in Pennsylvania already benefit from the security protection of paper ballots.

Kansas, Delaware, and New Jersey are in the process of purchasing voting machines with a serious design flaw, and they should reconsider while there is still time!

Over the past 15 years, almost all the states have moved away from paperless touchscreen voting systems (DREs) to optical-scan paper ballots. They’ve done so because if a paperless touchscreen is hacked to give fraudulent results, there’s no way to know and no way to correct; but if an optical scanner were hacked to give fraudulent results, the fraud could be detected by a random audit of the paper ballots that the voters actually marked, and corrected by a recount of those paper ballots.

Optical-scan ballots marked by the voters are the most straightforward way to make sure that the computers are not manipulating the vote. Second-best, in my opinion, is the use of a ballot-marking device (BMD), where the voter uses a touchscreen to choose candidates, then the touchscreen prints out an optical-scan ballot that the voter can then deposit in a ballot box or into an optical scanner. Why is this second-best? Because (1) most voters are not very good at inspecting their computer-marked ballot carefully, so hacked BMDs could change some choices and the voter might not notice, or might notice and think it’s the voter’s own error; and (2) the dispute-resolution mechanism is unclear; pollworkers can’t tell if it’s the machine’s fault or your fault; at best you raise your hand and get a new ballot, try again, and this time the machine “knows” not to cheat.

This article was originally posted at phys.org.As voters prepare to cast their ballots in the November midterm elections, it’s clear that U.S. voting is under electronic attack. Russian government hackers probed some states’ computer systems in the runup to the 2016 presidential election and are likely to do so again – as might hackers from other countries or nongovernmental groups interested in sowing discord in American politics.

Fortunately, there are ways to defend elections. Some of them will be new in some places, but these defenses are not particularly difficult nor expensive, especially when judged against the value of public confidence in democracy. I served on the Iowa board that examines voting machines from 1995 to 2004 and on the Technical Guidelines Development Committee of the United States Election Assistance Commission from 2009 to 2012, and Barbara Simons and I coauthored the 2012 book “Broken Ballots.”

Election officials have an important role to play in protecting election integrity. Citizens, too, need to ensure their local voting processes are safe. There are two parts to any voting system: the computerized systems tracking voters’ registrations and the actual process of voting – from preparing ballots through results tallying and reporting.

Today the National Academies of Sciences, Engineering, and Medicine released a report on election security, “Securing the Vote: Protecting American Democracy.” The Committee for The Future of Voting, which includes Verified Voting Board member Ron Rivest and Advisory Board member Andrew Appel, released the report at a public event in Washington, DC, where the report’s findings and key recommendations were discussed. Included in the Committee’s recommendations, which echo many of Verified Voting’s policies, were:

Human-readable paper ballots, made available for all elections as soon as 2018

State-mandated risk-limiting audits

Increased funding to state and local governments for cybersecurity and election infrastructure

Several startup companies have recently begun to promote Internet voting systems, but with a new twist – using a blockchain as the container for voted ballots transmitted over the Internet from the voter’s private device. Blockchains are a relatively new system category a little akin to a distributed database. Proponents of blockchain voting promote it as a revolutionary innovation providing strong security guarantees that enable truly secure online elections. Unfortunately, these claims are false. Blockchains do not offer any real election security at all.

Internet voting has been studied by computer security researchers for over twenty years. Cyber security experts universally agree that no technology, including blockchains, can adequately secure an online public election. Elections have unique security and privacy requirements fundamentally different from and much more stringent than those in other applications, such as e-commerce. They are uniquely vulnerable because anyone on Earth can attack them, and a successful cyberattack might go completely undetected, resulting in the wrong people elected with no evidence that anything was amiss.

Honorable Members of the Commission: I serve as Senior Advisor to Verified Voting, a national non-partisan non-profit educational and advocacy organization committed to safeguarding elections in the digital age. Verified Voting advocates for the responsible use of emerging technologies to ensure that Americans can be confident their votes will be cast as intended and counted as cast. We promote auditable, accessible and resilient voting for all eligible citizens. I previously served as President of Verified Voting for more than a decade. I have provided information and testimony on voting technology and policy issues at federal and state levels, including to the US House of Representatives Committee on House Administration, and earlier this year at the Joint Hearing of Assembly Elections and Redistricting and Senate Elections and Constitutional Amendments Committees, on Cybersecurity and California’s Elections.1

I have curated an extensive information resource on election equipment and regulations nationwide, and co-authored several key works on election security policy, including Principles & Best Practices for Post Election Audits2and the introductory chapter of Confirming Elections: Creating Confidence and Integrity through Election Auditing.3 I participate in the Future of California Elections, a collaboration between election officials, civil rights organizations and election reform advocates to examine and address the unique challenges facing the State of California’s election system.[4. Futureofcaelections.org] I also serve on the Los Angeles County Voting Systems for All People (VSAP) Technical Advisory Committee.4

In my capacity at Verified Voting I have worked with advocates, election officials and lawmakers from all across the country. In my view, the states that do the best on metrics relating to voting system security are often the ones that continue to look for and embrace opportunities to improve. As security threats do not stand still, neither can those whose work it is to safeguard our elections and consequently our democracy. I applaud the Little Hoover Commission for taking up this crucial topic of investigation, and am pleased to participate in and contribute to that effort.

Election security is not an on-off switch, where a thing either is secure or it is not. Rather it involves incrementing layers of effort, analysis, systems and procedures, all created or conducted by people, all while balancing costs and priorities. Such incremental measures harden a system, making it more secure than before and solving for problems when they occur. Perfect security is not attainable, but diligence in the pursuit of secure elections is.

Verified Voting debuted its latest infographic, “A Flowchart for Conducting Risk-Limiting Audits,” at the National Association of Secretaries of States (NASS) 2018 Summer Conference in Philadelphia. In addition to sharing this with election officials at the conferences this summer, Verified Voting is working closely with jurisdictions to demonstrate how to implement robust post-election audits. Check it out below:

This handy flowchart explains the process of conducting a risk-limiting-audit (RLA)

Summer is here and that means Verified Voting’s work is heating up! In the past few months Verified Voting has added staff, increased our state work, produced a valuable toolkit for election officials and advocates that received press in POLITICO and The Hill and created a set of infographics and maps which appeared in the Wall Street Journal and NPR (make sure to scroll down to see Verified Voting’s latest infographic: “Safeguarding Our Elections: The Solutions to Vulnerabilities in Election Security”).

The media continues to be instrumental in helping us raise awareness about safeguarding elections. Here are some recent highlights:

Fast Company – How U.S. Election Officials Are Trying To Head Off The HackersBloomberg – Hack-Resistant Vote Machines Missing as States Gird for ’18 VoteReuters – Ahead of November election, old voting machines stir concerns among U.S. officialsWashington Post – How Colorado became the safest state to cast a voteAssociated Press – Election Hacking Puts Focus on Paperless Voting MachinesAxios – Exclusive poll: Majority expects foreign meddling in midtermsPOLITICO – Election system experts debate merits of wireless tech in voting machines

Verified Voting has gone visual! In addition to recently collaborating with the Wall Street Journal and NPR on maps depicting voting technology across the states, Verified Voting created its own infographic: “Safeguarding Our Elections: The Solutions to Vulnerabilities in Election Security.”

The infographic is the first in a series of visuals Verified Voting is creating. This piece breaks down the state of our elections, which states are most vulnerable, the solution and what people can do. We urge you to take a look and share with your networks. You can download infographic or find it on our Twitter or Facebook.

A new toolkit designed for advocates and election officials offers suggestions for best practices for conducting post-election audits as well as tips for local jurisdictions considering purchasing new voting machines. The toolkit, “Securing the Nation’s Voting Machines,” is a joint project between Verified Voting, the Brennan Center for Justice, Common Cause and the National Election Defense Coalition.

“Cyber security experts agree that our voting systems need to be resilient and allow jurisdictions to monitor, detect, respond and recover from an event that interferes with the software. Resilient systems incorporate a paper ballot that is retained for recounts and post-election audits,” said Marian K. Schneider, president of Verified Voting. “This toolkit provides a roadmap for election officials nationwide who are looking to implement these resilient systems.”

On March 23rd, Congress allocated $380 million to states to upgrade election security. This is a positive development. In the age of unprecedented hacking risks, researchers have found that electronic voting infrastructure — including voting machines and registration databases — have serious vulnerabilities. While there’s no evidence that vote totals were hacked in 2016, there’s strong evidence that hackers have been testing the waters.

While federal funding can help states address these issues, simply upgrading or replacing election infrastructure is not sufficient. It is essential that states work with the Department of Homeland Security or other trusted providers to scan their systems for cyber vulnerabilities, and follow best practices identified by computer scientists, national security leaders, and bipartisan experts in elections administration to mitigate hacking risks. On March 20, the Senate Select Committee on Intelligence released its long-awaited recommendations on election security and concluded that requiring paper ballots, banning wireless components and implementing statistically sound audits of election results are essential safeguards. Last year, a group of 100 leading computer scientists and other election administration experts voiced the same conclusion. Through years of researching voting equipment security in real election administration environments, the National Institute of Standards and Technology (NIST) has come to similar conclusions about what it will take to defend elections.

Elections serve two purposes. The first, and obvious, purpose is to accurately choose the winner. But the second is equally important: to convince the loser. To the extent that an election system is not transparently and auditably accurate, it fails in that second purpose. Our election systems are failing, and we need to fix them.

Today, we conduct our elections on computers. Our registration lists are in computer databases. We vote on computerized voting machines. And our tabulation and reporting is done on computers. We do this for a lot of good reasons, but a side effect is that elections now have all the insecurities inherent in computers. The only way to reliably protect elections from both malice and accident is to use something that is not hackable or unreliable at scale; the best way to do that is to back up as much of the system as possible with paper.

Recently, there have been two graphic demonstrations of how bad our computerized voting system is. In 2007, the states of California and Ohio conducted audits of their electronic voting machines. Expert review teams found exploitable vulnerabilities in almost every component they examined. The researchers were able to undetectably alter vote tallies, erase audit logs, and load malware on to the systems. Some of their attacks could be implemented by a single individual with no greater access than a normal poll worker; others could be done remotely.

Demonstration Shows Vulnerability of Voting Machines With No Paper Backup

The New York Times published an interactive piece on election security today that included a video featuring Verified Voting fellow, Alex Halderman. The piece, “I Hacked an Election. So Can the Russians,” was the result of a months-long collaboration between Verified Voting and the New York Times.

How Will My Vote Be Counted?

“Alex Halderman, along with the New York Times, successfully demonstrated how vulnerable these voting machines can be,” said Marian K. Schneider, president of Verified Voting. “We want people to understand in a visual way how something like this might happen. Although it is only a risk and not a certainty that something like this could occur, we need to be prepared and able to recover. These machines don’t allow us to do that. It’s time we prepare to monitor, detect, respond and recover from any potential attacks that undermine our democracy.”

“All cyber security experts who have given electronic voting machines any thought agree, these machines have got to go,” said Alex Halderman in the video. “Paper plus audits; all elections should be done this way,”

Election security is the way we protect our elections from interference and allow voters to feel confident that their vote is being counted. Being able to trust election results is a cornerstone of democracy. 2016 was a harsh reminder of what can happen when we don’t have secure election systems- and demonstrates the need for us to act quickly. Luckily, we can all ensure the safety of our elections, by working with our local and state election officials to make sure all of our votes are counted.

The key takeaways are that the reforms (paper ballots and robust audits) are not only totally possible, but super important. Every major reform that has been passed at the state level has been lead by grassroots activists who knew how important it was to make sure our votes are counted. The progressive movement, in light of the interference in the 2016 election, has been calling on us to understand how to advocate for these campaigns.Election Security is often seen as a wonky, insider issue.

Under the terms of the omnibus spending bill voted on by the House, states will receive $380 million within months to start to strengthen the security of our nation’s election infrastructure. This near-term funding is the product of tireless work by members of both parties, and a critical acknowledgment from Congress that protecting our elections is a matter of national security. States can use the funding immediately to begin deploying paper ballots, post-election audits, and other essential cybersecurity improvements. However, the new funding is only a first step, as many in Congress have acknowledged, and further Congressional action will be necessary in order to ensure that future elections are secure.

Most significantly, the omnibus funding as allocated to the states under the Help America Vote Act (HAVA) will not be enough for some states to replace their insecure voting machines. Because paperless electronic voting systems are highly vulnerable to cyberattacks, it is urgent that those systems be replaced as soon as possible, as the Senate Select Committee on Intelligence (SSCI) recommended earlier this week. Until this is done, it will be impossible to ensure that election results as reported by the voting system have not been corrupted by a cyberattack.

Thirteen states, including key swing states like Pennsylvania, continue to use paperless voting today. One of the main reasons is cost: cash-strapped states simply can’t afford to replace this aging equipment. Unfortunately, our analysis shows that under the new federal funding, five of the 13 states with paperless machines will receive less than 25 percent of the money they may need to replace them. Moreover, most states will also need to use some of the new funding to pay for improved auditing and other security measures, leaving even less for crucial technology upgrades.

Marian K. Schneider: “[T]he current bill will perpetuate the cycle of unverifiable voting in Georgia. Verified Voting cannot support the bill unless significant changes are made.”

The following is a statement from Marian K. Schneider, president of Verified Voting, about why Georgia’s current Senate Bill 403 cannot ensure a verifiable and accurate election system. For additional media inquires, please contact aurora@newheightscommunications.com

“Georgia voters need a secure voting system with voter-marked paper ballots and audits, but instead, Georgia’s electoral system is left insecure and unverifiable. The current version of Senate Bill 403, which recently passed the House Government Affairs Committee, has morphed into a sweetheart deal for a group of voting machine vendors. Georgia voters are simply demanding a verifiable secure election system …nothing more.

Marian K. Schneider: “We applaud this decision today to increase the integrity of Pennsylvania’s elections and its move to safeguard elections.”

The following is a statement from Marian K. Schneider, president of Verified Voting, formerly Deputy Secretary for Elections and Administration in the Pennsylvania Department of State, on Pennsylvania’s announcement that it will no longer purchase paperless DREs and that going forward all new voting machines must have a voter-verifiable paper ballot or paper record. For additional media inquires, please contact aurora@newheightscommunications.com

“Pennsylvania is taking a critical step towards safeguarding elections by replacing its aging voting systems and restoring voters’ faith that their votes will be counted as cast. The only way to address the risk of software problems is to require a physical paper ballot that can be used to check the computer-generated votes.

An oversight in York County, Pennsylvania on the eve of last November’s Election Day questioned the rightful winner of the election, but thankfully the potential damage stopped there. Still, the discovery of a technical error — one that allowed voters to cast multiple votes for a candidate in races with cross-filed candidates — risked the integrity of the election. This could’ve been easily preventable with paper ballots.

Most Pennsylvania voters are using paperless electronic voting machines to cast their ballot. The problem is that these outdated machines — also known as direct recording electronic (DRE) systems —are unverifiable. DREs, or voting machines without paper ballot back-up, have been the source of controversy for years because of their inability to allow anyone to verify the results. Instilling confidence in election outcomes can only occur by replacing these systems with newer ones that provide a software independent record of voter intent and implementing statistically meaningful audits of those records.

We know there was foreign interference during the 2016 election cycle, and that similar acts to undermine faith in America’s democratic systems are a possibility. Security experts agree that safeguarding and protecting election systems is important and that no system is completely secure. That’s why security experts recommend ensuring that all computer-based systems, including voting machines are resilient, that is, they have the ability to identify a problem and recover from it. Replacing the outdated voting systems with resilient machines is imperative before the 2018 elections because, for more than 80 percent of Pennsylvania voters in 50 counties, no one has any way of knowing whether the paperless voting machines correctly captured voter intent.

The following is a statement from Marian K. Schneider, president of Verified Voting, regarding the U.S. Election Assistance Commission (EAC) summit held today in Washington, D.C. For additional media inquires, please contact aurora@newheightscommunications.com

“As officials look to address the risks our elections face today, it is essential that voter-verified paper ballots and post-election audits are recognized as the best way – given current technology – to ensure that an attack on our voting systems can be detected and the outcome verified. With midterm elections quickly approaching, it’s time we also prepare to monitor, detect, respond and recover from these potential attacks. The good news is that we can, and Congress has a bill that goes a long way in doing so.